Access Management 7.3.2

Session quotas

AM lets you limit the number of active sessions for a user by setting session quotas. Use this feature, for example, to prevent a user from logging in from more than two devices at once, mitigating scenarios where user passwords may have been compromised.

AM’s support for session quotas requires server-side sessions.

Configure session quotas and exhaustion actions

The session quota applies to all sessions opened for the same user (as represented by the user’s universal identifier). To configure session quotas and exhaustion in AM, perform the following steps:

  1. In the AM admin UI, go to Configure > Global Services > Sessions > Session Quotas.

  2. From the Enable Quota Constraints drop-down menu, choose ON.

  3. On the Set Resulting behavior if session quota exhausted property, set one of the following values:

    DENY_ACCESS

    Deny access, preventing the user from creating an additional session.

    DESTROY_NEXT_EXPIRING

    Remove the next session to expire, and create a new session for the user. The next session to expire is the session with the minimum time left until expiration.

    This is the default setting.

    DESTROY_OLDEST_SESSION

    Remove the oldest session, and create a new session for the user.

    DESTROY_OLD_SESSIONS

    Remove all existing sessions, and create a new session for the user.

    If none of these session quota exhaustion actions fit your deployment, you can implement a custom session quota exhaustion action. For an example, refer to Customize server-side session quota exhaustion actions.

  4. Go to Realms > Realm Name > Services > Session.

  5. On the Set Active User Sessions property, configure the maximum number of concurrent sessions a user can have.

    Note that you can also change this setting globally for the AM site in Configure > Sessions > Dynamic Attributes.

  6. Click Save Changes.